Roof Topping: Lessons in Social Engineering from a Clandestine Photographer
Roof Topping: Lessons in Social Engineering from a Clandestine Photographer
Editor’s Note: ITS does not condone trespassing, picking locks that aren’t yours, or breaking and entering. We engaged “Adventure Dan” with the intent of peering into the mindset of someone actively engaged in social engineering and to report back with information on the tools and techniques being employed by those that seek access to what we protect. Pull up a chair and learn about what to be on the lookout for with Roof Topping.
If you’ve been on social media in the last few years, you’ve most likely seen the photos and/or videos of a craze known as Roof Topping. First it was dizzying photos of people hanging off of scaffolding and construction equipment, then it was tall buildings and rooftop cranes. Before long, these daredevils were hanging from the railings, or ascending the lightning rods of the world’s tallest skyscrapers and posting the content to social media.
While most people focus on the vertigo inducing photos and first person view videos of Roof Topping, my curious nature always left me scratching my head. Just how did they get up there? Were they picking door locks? Hiding in a closet until after everyone leaves? Crawling through air conditioner ducts like Bruce Willis in Die Hard? It turns out the answer is, “it depends.” For one Roof Topper, “Adventure Dan,” it’s a complex dance of skill-sets.
Dan has a unique perspective on his Roof Topping antics and likes to use “non-destructive” means and methods to get into skyscrapers. He mostly relies on social engineering, but acknowledges he does break rules and possibly some laws, however justified he might feel by the fact that he’s not there to steal or damage anything. Further peaking my curiosity was the way he documents and showcases his traipsing, coming off more as a teacher than a braggart. He uses brains over brawn to achieve his objective. Walking around an office with a clipboard and tie may not have the same level of sex appeal as running around the city in the dark with bolt cutters, but Dan’s methods are far more intriguing. They’re also a good lesson on the way the mind works and the fallacies of human nature.
Urban Exploration Roots
Dan began his foray into Roof Topping, by getting into abandoned buildings and construction sites while engaging in what he calls “UrbEx” (Urban Exploration). It was during this time that he began to toy with the idea of social engineering. “Infiltration was kind of a sub-genre of UrbEx,” Dan explained. Essentially, it wasn’t just about getting great photos, but the process it took to get there.
He and a few friends would scout a building or construction site, then don reflective vests and hardhats, walking right in as workers that belonged there. “Sometimes it’s just the way you walk and the way you present yourself,” Dan said, “there would be workers around and we would walk in with our cameras like we owned the place. When the workers would see that we weren’t lurking around or hiding in the shadows, which would make someone suspicious, we’d actually wave at them and say hi. When you wave at someone in a place you’re not supposed to be in, often times they don’t think you’re not supposed to be there; it puts people at ease.”
After a few excursions, Dan decided to up the ante and get into bigger and more challenging buildings, Roof Topping things like downtown skyscrapers. Often times these skyscrapers are utilized by banks and even Federal entities, so needless to say, security was a little higher than in an abandoned building. He realized he’d need to do more than just dress the part and wave, he’d need to fully assume the role.
Knowledge Can Get You Into Anything
One of Dan’s Roof Topping targets was one of the tallest buildings in Dallas. He and his friends got into the building, where they began poking and prodding, searching for soft spots in the building’s security to access the roof. “If I can walk into your lobby and you don’t have any kind of key card access, reception desk, or any barrier to access the elevator, it’s highly likely I’ll make it to the roof because of your failure,” Dan exclaimed. The biggest failure on the part of building security, was the ease in which Dan and his friends were able to enter the building, get past the lobby and into the elevators.
Ultimately, they discovered that the top floor was an office space with a reception desk at the front and they questioned whether there was even rooftop access at all. Dan refused to believe that and kept on studying the building, both in person and online. Searching the Internet, he pulled up an image of the skyscraper on Google Earth and found what he was looking for, anti-collision lights for aircraft. “I knew that if there was a light bulb on anything, that it would have to be changed.”
Confident that there was a way to get onto the roof, he devised a plan to get up the building, past the top floor reception area and through the office area without drawing unwanted attention. This would allow him to look for what he knew had to be there, a hatch, stairwell, or ladder leading to the roof.
Clipboard of Power, Vest of Authority
In the past, Dan briefly worked as an electrician and remembered that once they’d get clearance from the front desk, they could more or less walk around the work site as they pleased. He decided to assume the role of an electrician and attempt to get through the top floor reception area under the guise of doing an inspection of the building’s electrical panels. This would give him unbridled freedom to search for the opening to the roof. “We had kind of a running joke,” Dan stated, in regards to his Roof Topping crew, “we called it the clipboard of power and vest of authority. Having those two items has gotten us into a lot of places.”
To dress the part of an electrical inspector, he put on khaki pants, a polo shirt and donned a vest, tool belt, safety classes, clipboard, calculator and a white RFID badge on a retractable lanyard.
“Putting a badge on gives you the appearance of authority. It shows that you have permission to be there because you have an access card and you’re trusted to be somewhere. This puts people at ease.”
Somewhat comically, Dan’s RFID badge had neither data imprinted on it, or any markings on the outside. For all intents and purposes, it was simply a white piece of plastic. He also drafted a work order for his clipboard to complete his Roof Topping persona, modeled after what he saw during his tenure as an electrician. It included a fake company and address.
The Exit Plan
Dan had a feasible plan to get to the roof, but he also understood there was a chance of getting caught. His alibi was such, that even if he was denied access, he would leave the staff none the wiser of his actual intent. Having a rehearsed story would enable him to maintain cover and avoid any sort of trouble.
The owners of the building he was trying to access had another building down the street, so Dan came up with a cover story of being a confused worker. Should his cover be blown, he’d simply act as if he went to the wrong building and that he was really supposed to be down the road, making his presence just an innocent mistake.
He practiced both his cover and his exit plan in the mirror multiple times before his actual attempt at Roof Topping, as he wanted the stories to come naturally and his cover to feel authentic.
Making a Good First Impression
The day of execution came and Dan made his way up the skyscraper. Bypassing the security measures he’d scouted on previous trips was the easy part. He got to the top floor reception desk and although extremely nervous, he confidently approached the secretary and stated he was there to conduct an electrical panel inspection. Slightly confused, she asked if he was with building maintenance, to which he said yes and that he was there to conduct a routine check. “That’s good timing,” she said, “the other maintenance guys are up here right now too.”
Dan started worrying immediately, “I was crapping my pants at this point and I thought, oh great, of all the people that could be up here right now, it’s the people that I’m saying I’m supposedly with and who could call me on my story immediately.” He maintained his composure, relieving the anxiety he was feeling by looking around the area and scribbling notes on his clipboard, playing the part of a bored employee just trying to get the work done.
The secretary had Dan follow her through the office area and took him to meet with the maintenance crew. They approached two of the maintenance guys who turned out to be maintenance managers. “Hey gentlemen, this man is here to conduct an inspection,” the secretary told them. They looked at each other confused and then looked back at Dan and the secretary.
Dan politely introduced himself and gave his spiel to the two men. “I think the most important part of a successful social engineering penetration is the first impression. I think when you see someone and the first impression you get of them and who they are, your brain really concretes that as the truth. When they looked at me, I was obviously in their eyes an inspector. I had my clipboard, I had my tools, I was dressed nicely, so it became not a question of who I was, or who I said I was, but a question of was I in the right place,’’ Dan told me of the encounter.
Maintaining Cover with Authority
The two gentlemen asked if he was with building maintenance or with a tenant. Although not prepared for this question, Dan remembered from his time as an electrician that buildings often had their own maintenance that the tenants would contract out for specific tasks. “I’m with a tenant,” Dan stated confidently. The two men immediately relaxed and told the secretary they’d show him to the electrical room.
“I couldn’t believe it, they instantly weren’t at all suspicious, even pulling out their keys to the room to let me in. It was a huge relief,” said Dan. They took him to the room and Dan noticed that the main electrical panel was locked and asked, “Is that the electrical main?” They replied yes and Dan said, “That’s a code violation. The main can’t be locked, if there’s a fire you need to be able to get into there.” The two men looked briefly concerned and stated they would see to it that the lock be removed. In a slightly comical turn of events, this is a real building code and Dan, in his guise as an inspector, got them to fix it.
Maintenance Workers Have the Most Access
The maintenance managers escorted him to the various electrical equipment rooms, where Dan checked breaker panels and electrical components as an electrician would. Unknown to the maintenance guys, Dan was also using this opportunity to scout the area to complete his Roof Topping mission. After going through the last room Dan knew he had to make a move quick if he was going to find a way to the roof. “The last thing on my list is the emergency lighting in the stairwell leading to the roof, as well as the junction panel for the anti-collision lighting,” Dan told the men. They made their way to the stairwell leading to the roof, which was a nice open carpeted stairwell right in the middle of the office area. This was somewhat surprising to Dan, given that the entryways are usually industrial type stairs and ladders.
Once in the stairwell, Dan noticed a tripped circuit breaker and told the manager that he needed to check something on the back of the light itself. “Sure, go on ahead, there’s a ladder right over there,” one of the men told him. Dan then grabbed the ladder, climbed up and there it was, a rooftop view of the city of Dallas. A view that very few are privileged to see. Dan took it all in; a non cleared person with roof top access in one of the tallest and most secure skyscrapers in Dallas. Out of view from the manager he quickly began to take photos and video of himself with the skyline. “I was freaking out a little bit,” Dan said. He gathered himself together, told the manager his inspection was complete and walked back down the stairwell. He bid the secretary good day as he left the top floor, making his way down the lobby and out of the skyscraper.
The End of the Road
This was the first skyscraper Dan managed to ascend and although it wasn’t his first use of social engineering, it was definitely the most complex and risky. It also wasn’t his last. As of this writing, Dan has worked his way to the top of almost all of the skyscrapers in Dallas, as well as multiple other buildings and sites of varying nature. Given the growing popularity and the saturation of Roof Topping, as well as the attention it’s getting, Dan expressed the desire to retire.
I asked Dan for some closing thoughts on Roof Topping and with no hesitation he said, “Nothing is perfect, nothing is impenetrable. With the right amount of knowledge and the right planning, anything is possible.” I’m almost curious to know what Dan chooses to tackle next, almost.
How would you protect against these types of social engineering attacks? How do you think you’d fare against someone that acted like they belonged in your building?